11 February 2020
All the personal data your company collects must, under law, be kept private and safe. But how can regulatory agencies be certain that companies are upholding their customers' rights in this area?
Article 30 of the General Data Protection Regulation (GDPR) specifically deals with the need for recordkeeping on how, why, where and nearly any other question that addresses how your company processes personal data.
This article of the GDPR gives distinct outlines on what records you need to keep whenever processing private information, as well as how the records must be kept and the directive to make available any such records a supervisory agency requires.
Without recordkeeping there would be no accountability for actions. There would be no way to hold anyone responsible for anything.
By implementing this legal requirement for recordkeeping, the GDPR is ensuring that all companies dealing with personal information in the EU can be held accountable for keeping personal data safe.
There are severe penalties in place if your company fails to comply with GDPR standards.
Depending upon the specific area of non-compliance, infringements are classified as either upper- or lower-level. Most failures to meet Article 30 regulations on recordkeeping are a low-level infringement.
The fine for a low-level infringement is whichever is greater between:
If your infringement is deemed a high-level, the fine is doubled to €20 million or 4% of revenue.
Complying with the recordkeeping laws under Article 30 of the GDPR does more than simply ensure you won't suffer fines or other consequences.
Keeping these records will allow your company to benefit in various ways, including:
In short, keeping records is an important part of your company's growth, as I'm sure you're aware. So, following the GDPR's recordkeeping guidelines regarding data processing is beneficial in many ways, both direct and indirect.
In general, all companies will need to follow some recordkeeping guidelines. However, if your company is small enough, your need to keep records regarding the processing of personal data will be less strict than larger organizations.
The GDPR stipulates that companies with fewer than 250 employees do not have to keep records on certain data processing activities.
Specifically, these smaller companies do not need to keep records on activities that meet all three of these guidelines:
Here are some practical examples of data processing activities and where they'd fall within the above guidelines:
Article 9 of the GDPR defines the special categories of data that you must always record when processed, no matter your company's size.
These categories are data involving:
Article 30 gives clear directions for what records need to be kept when data is processed. Such records must be kept in written format which can be electronic or on paper.
Your business would most likely benefit more from electronic recordkeeping due to the ease of updating, searching, adding to, etc. such a system.
The Information Commissioner's Office (ico.), the regulatory office which oversees the GDPR, has developed and provides templates which your business can follow in recording your data processing activities. There's a separate template for controllers and a separate template for processors. They are available towards the bottom of this page.
Under GDPR guidelines there are distinct differences drawn between controllers of data and processors of data, including what responsibilities you have to record data processing activities as either one.
In Article 4 of the GDPR, controllers are defined as:
"the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law"
Processors are defined as:
"a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller"
Whether you are a controller or processor of personal data, some recordkeeping will be necessary. However, controllers are required to be more in-depth when documenting their data processing activities.
When controllers conduct data processing activities they need to maintain a record which documents all of the following information:
The records kept by your company if you are only the processor of the data must include:
As you can see, the necessary recordkeeping for data processing activities is much greater for controllers of data than for processors, but in both cases the GDPR takes care to outline exactly what needs to be documented, keeping the stress on your business as minimal as possible.
Taken as a whole, the idea of making your business comply with Article 30 recordkeeping guidelines may seem daunting. My advice for you is not to look at it as one big step you need to take, but as several smaller measures that will, together, benefit your company and help to ensure your compliance with the GDPR.
The first step to properly maintaining records of your data processing activities is to make certain you know exactly what records your company will need to keep.
If your company employs fewer than 250 people and only rarely processes personal data, you may need to maintain very few records for the GDPR.
Be certain you know if the data processing activities you company undertakes involve any data that may risk an individual's rights or if the information falls under one of the special categories mentioned earlier, as there always needs to be records on data processing in these cases.
You will also need to be certain if your company is acting as the controller of the data you process, or if it is the processor of the data on someone else's behalf, as this changes what information you need to document.
All businesses keep records. It is essential to their growth and success. If your business already has a good, adaptable record keeping system in place, you may be able to easily modify it to document the necessary recordkeeping on your data processing activities.
If the system you already have is not going to be able to maintain a proper record of your data processing, you will need to create one, but this is not a terribly difficult task. The templates mentioned before are relatively simple and can easily be used as a part of your recordkeeping system or used as a base of what yours may look like.
Once you know what information you need to keep and have a system in place to make documenting that information efficient and smooth, you should go back over everything one last time, just to ensure GDPR compliance. After all, you don't want a fine of €20 million or %4 of your company's revenue made the last year!